An Exploration of NFC Transactions and Explanation How Apple Pay and Android Pay work

This talk will dive into the techniques and protocols that drive contactless card payments at the Point of Sale. We will explore how Apple Pay works on a technical level and why you are able to 'clone' your credit card onto your phone. Building upon previous C3 talks on the topics of EMV and ICC payments, we will learn about different NFC payment options, why legacy will never die and how the individual card brands have specified their payment workflows.

Contactless payments are gaining more momentum every day and even though Apple Pay is not yet available in Germany, you are able to use your new contactless credit card at an increasing number of locations. This trend is not likely to stop anytime soon and it is time to understand what is going on the lower layers.

To jumpstart the discussion, we will first have a look at all the parties involved in a card transaction and where they are placed in the communication and decision chain. From there we are comparing the differences between a chip (ICC) and a contactless (NFC) transaction.

Afterwards we are ready to look at Apple Pay, Android Pay and other card emulations. Even though they provide the same features on first look, they work fundamentally different on the technical level. We will learn about storing sensitive transaction information offline on the device in a Secure Element (SE) or online with your service provider utilizing Hosted Card Emulation (HCE).

In the end, we will take a short look at how contactless payments might influence our future, why legacy is still king and if tokenization might just save your day one time.